You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

BC AdBot (Login to Remove)

Did you upload (submit) both encrypted files and ransom notes together to ID Ransomware? Doing that provides a more positive match and helps to avoid false detections.

Any files that are encrypted with Cerber v4x/v5x will be renamed (encrypted) with 10 random characters followed by a random 4 character hexadecimal extension appended to the end of the encrypted data filename (i.e. 1xQHJgozZM.b71c, 0ezTpYXxVn.b6d3, n3yJiVM0Nn.a60d) and leave files (ransom notes) named README.hta, README.html, _HEJDDP_README_.hta, _READ_THIS_FILE_<random hexadecimal>.html (i.e _5M6C2B8.html), _HELP_HELP_HELP_<random hexadecimal>.hta (i.e _5M6C2B8.hta) as explained here. Any files that are encrypted with Cerber v5x will also include a few new changes as explained here.

CRBR Encryptor is a renamed version of Cerber that is used in the ransom note. Any files that are encrypted with CRBR Encryptor still encrypts files with 10 random characters followed by a random 4 character hexadecimal extension appended to the end of the encrypted data filename (i.e. 1xQHJgozZM.b71c) and leave files (ransom notes) named _R_E_A_D___T_H_I_S_.hta, _R_E_A_D___T_H_I_S_.txt as explained here.

Yeah, did upload readme file and an encrypted file with the .b007 extension. No match.

The encrypted sample had the "*@mail.com" (see the pastebin link) email address inserted into the filename too.

If anyone get's smarter on this by having an encrypted sample file, msg me.

Did you upload (submit) both encrypted files and ransom notes together to ID Ransomware? Doing that provides a more positive match and helps to avoid false detections.

Any files that are encrypted with Cerber v4x/v5x will be renamed (encrypted) with 10 random characters followed by a random 4 character hexadecimal extension appended to the end of the encrypted data filename (i.e. 1xQHJgozZM.b71c, 0ezTpYXxVn.b6d3, n3yJiVM0Nn.a60d) and leave files (ransom notes) named README.hta, README.html, _HEJDDP_README_.hta, _READ_THIS_FILE_<random hexadecimal>.html (i.e _5M6C2B8.html), _HELP_HELP_HELP_<random hexadecimal>.hta (i.e _5M6C2B8.hta) as explained here. Any files that are encrypted with Cerber v5x will also include a few new changes as explained here.

CRBR Encryptor is a renamed version of Cerber that is used in the ransom note. Any files that are encrypted with CRBR Encryptor still encrypts files with 10 random characters followed by a random 4 character hexadecimal extension appended to the end of the encrypted data filename (i.e. 1xQHJgozZM.b71c) and leave files (ransom notes) named _R_E_A_D___T_H_I_S_.hta, _R_E_A_D___T_H_I_S_.txt as explained here.

If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

Example screenshot:

If you can find the malicious executable that you suspect was involved in causing the infection, it can be submitted here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse button...it's best to compress large files before sharing. Doing that will be helpful with analyzing and investigating by our crypto malware experts.

If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

Example screenshot:

If you can find the malicious executable that you suspect was involved in causing the infection, it can be submitted here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse button...it's best to compress large files before sharing. Doing that will be helpful with analyzing and investigating by our crypto malware experts.

Messing with the BIOS clock won't do anything to decrypt files... you can't just turn back time that way, lol.

I don't recognize the note or anything with this. The file looks to be encrypted with AES-ECB though, or some other repeating-key cipher possibly. Can you provide a few encrypted files and their originals?

I know messing with the BIOS clock won't fix anything with the files. The owner of the data in this case was worried about the details in the Readme file stating "To return your files you have 72 hours".
This time expired this afternoon local time. My hint about the BIOS was if there could be any potential malicious code which started to wipe data.

I actually don't know how the 2003 server was infected (Virus on lan?) since I haven't been part of that work, just the data recover part. It was a small family company - as with them many times - they don't really know the best practices to protect their information assets, sadly.

I will see if I can get more encrypted files tomorrow and potentially the code itself, if resistent on disk.

Messing with the BIOS clock won't do anything to decrypt files... you can't just turn back time that way, lol.

I don't recognize the note or anything with this. The file looks to be encrypted with AES-ECB though, or some other repeating-key cipher possibly. Can you provide a few encrypted files and their originals?

In most cases victims can ignore any warnings in the ransom note that mentions files will be deleted or unrecoverable after so many number of hours or days...it typically is just a scare tactic to get victims to quickly pay the ransom.